Threat Intelligence sharing practices for Security Operation Centres

  • Slides: 27
Download presentation
Threat Intelligence sharing practices for Security Operation Centres March 19 2019 Joint HSF/OSG/WLCG Workshop

Threat Intelligence sharing practices for Security Operation Centres March 19 2019 Joint HSF/OSG/WLCG Workshop 19 March 2019

Motivation • The future of academic computing security – Romain, CHEP 2016 2019 Joint

Motivation • The future of academic computing security – Romain, CHEP 2016 2019 Joint HSF/OSG/WLCG Workshop 19 March 2019

Motivation • Adversaries are motivated and well funded – Cybercrime – Better funded than

Motivation • Adversaries are motivated and well funded – Cybercrime – Better funded than us • Malware as a Service (Maa. S) – Ransomware – Straightforward to spend a few dollars for a Do. S • What do we have? – Our community 2019 Joint HSF/OSG/WLCG Workshop 19 March 2019

Motivation • Within a given community (such as the WLCG), we see similar threats

Motivation • Within a given community (such as the WLCG), we see similar threats from similar actors • Acting together, we can establish common response mechanisms and support each other • By sharing threat intelligence we can better inform fellow sites to take action – Active (firewall blocks) – Passive (awareness and improved response) 2019 Joint HSF/OSG/WLCG Workshop 19 March 2019

Motivation • Grid and campus teams • Traditionally, haven’t always worked together • Additional

Motivation • Grid and campus teams • Traditionally, haven’t always worked together • Additional benefit of threat intelligence – Provide route to increase cooperation – Grid team has intelligence – Campus team has access to deeper (network) monitoring 2019 Joint HSF/OSG/WLCG Workshop 19 March 2019

Introduction • Key element: sharing between trusted parties – How to achieve this? •

Introduction • Key element: sharing between trusted parties – How to achieve this? • WLCG already has a level of trust both – via assertion • I trust this organization so I trust this site – years of effort 2019 Joint HSF/OSG/WLCG Workshop 19 March 2019

Introduction • WLCG SOC working group • Two areas of work – Technology stack

Introduction • WLCG SOC working group • Two areas of work – Technology stack – Threat intelligence 2019 Joint HSF/OSG/WLCG Workshop 19 March 2019

SOC WG initial model 2019 Joint HSF/OSG/WLCG Workshop 19 March 2019

SOC WG initial model 2019 Joint HSF/OSG/WLCG Workshop 19 March 2019

SOC WG initial model 2019 Joint HSF/OSG/WLCG Workshop 19 March 2019

SOC WG initial model 2019 Joint HSF/OSG/WLCG Workshop 19 March 2019

MISP • Sharing models – Full mesh – Hub and spoke 2019 Joint HSF/OSG/WLCG

MISP • Sharing models – Full mesh – Hub and spoke 2019 Joint HSF/OSG/WLCG Workshop 19 March 2019

MISP • Sharing models – Full mesh – Hub and spoke 2019 Joint HSF/OSG/WLCG

MISP • Sharing models – Full mesh – Hub and spoke 2019 Joint HSF/OSG/WLCG Workshop 19 March 2019

WLCG MISP • TLP: GREEN and TLP: WHITE – For now • Available to

WLCG MISP • TLP: GREEN and TLP: WHITE – For now • Available to people via CERN SSO – CERN accounts – Federated ID with SIRTFI • https: //refeds. org/sirtfi 2019 Joint HSF/OSG/WLCG Workshop 19 March 2019

WLCG MISP • TLP: GREEN and TLP: WHITE – For now • Available to

WLCG MISP • TLP: GREEN and TLP: WHITE – For now • Available to people via CERN SSO – CERN accounts – Federated ID with SIRTFI • https: //refeds. org/sirtfi 2019 Joint HSF/OSG/WLCG Workshop 19 March 2019

Traffic Light Protocol RED Not for disclosure, restricted to participants only. AMBER Limited disclosure,

Traffic Light Protocol RED Not for disclosure, restricted to participants only. AMBER Limited disclosure, restricted to participants’ organizations. GREEN Limited disclosure, restricted to the community. WHITE Disclosure is not limited 2019 Joint HSF/OSG/WLCG Workshop 19 March 2019

Traffic Light Protocol RED Not for disclosure, restricted to participants only. AMBER Limited disclosure,

Traffic Light Protocol RED Not for disclosure, restricted to participants only. AMBER Limited disclosure, restricted to participants’ organizations. GREEN Limited disclosure, restricted to the community. WHITE Disclosure is not limited 2019 Joint HSF/OSG/WLCG Workshop 19 March 2019

Traffic Light Protocol RED Not for disclosure, restricted to participants only. AMBER Limited disclosure,

Traffic Light Protocol RED Not for disclosure, restricted to participants only. AMBER Limited disclosure, restricted to participants’ organizations. GREEN Limited disclosure, restricted to the community. WHITE Disclosure is not limited 2019 Joint HSF/OSG/WLCG Workshop 19 March 2019

Traffic Light Protocol RED Not for disclosure, restricted to participants only. AMBER Limited disclosure,

Traffic Light Protocol RED Not for disclosure, restricted to participants only. AMBER Limited disclosure, restricted to participants’ organizations. GREEN Limited disclosure, restricted to the community. WHITE Disclosure is not limited 2019 Joint HSF/OSG/WLCG Workshop 19 March 2019

WLCG MISP • Initial plan – Start with sites pulling event data from WLCG

WLCG MISP • Initial plan – Start with sites pulling event data from WLCG instance – Via • web app (visually inspect data) • API client (direct to IDS) 2019 Joint HSF/OSG/WLCG Workshop 19 March 2019

Current status • Currently have a handful of sites that have synced to WLCG

Current status • Currently have a handful of sites that have synced to WLCG instance • Most deployments in development phase • Following SOC Workshop in February focus on threat intelligence 2019 Joint HSF/OSG/WLCG Workshop 19 March 2019

Call for participation • International participation • Started as WLCG group but widened scope

Call for participation • International participation • Started as WLCG group but widened scope – NRENs – Other academic institutions – EGI Fed. Cloud • Develop specific guidelines for WLCG, best practices for use in other communities 2019 Joint HSF/OSG/WLCG Workshop 19 March 2019

US involvement • Already have great participation from US – AGLT 2 – Very

US involvement • Already have great participation from US – AGLT 2 – Very nice session at last workshop on deploying CERN scripts for SOC alert aggregation and correlation • Would love to see more sites involved – Great to have more experienced Zeek sites 2019 Joint HSF/OSG/WLCG Workshop 19 March 2019

Considerations • GDPR – Very nice discussion by MISP – Incident Response under GDPR

Considerations • GDPR – Very nice discussion by MISP – Incident Response under GDPR • Andrew Cormack 2019 Joint HSF/OSG/WLCG Workshop 19 March 2019

Considerations • • Management Site admins Users CSIRTs 2019 Joint HSF/OSG/WLCG Workshop 19 March

Considerations • • Management Site admins Users CSIRTs 2019 Joint HSF/OSG/WLCG Workshop 19 March 2019

Conclusion • The technology to share intelligence already exists and is mature – In

Conclusion • The technology to share intelligence already exists and is mature – In use in many communities already – We can benefit from this! • Need to work on the social and political process – Use the SOC WG as a forum for this 2019 Joint HSF/OSG/WLCG Workshop 19 March 2019

Questions? 12/07/17 2019 Joint HSF/OSG/WLCG Workshop 19 March 2019 25

Questions? 12/07/17 2019 Joint HSF/OSG/WLCG Workshop 19 March 2019 25

Backup slides 2019 Joint HSF/OSG/WLCG Workshop 19 March 2019

Backup slides 2019 Joint HSF/OSG/WLCG Workshop 19 March 2019

CERN SOC 2019 Joint HSF/OSG/WLCG Workshop 19 March 2019

CERN SOC 2019 Joint HSF/OSG/WLCG Workshop 19 March 2019